For a period of about 18 months, Ransomware dominated the news related to information security. Companies of all sizes and verticals were under attack by cybercriminals that were looking to make a quick buck, or a lot of bucks in some cases. Then, all of the sudden, Ransomware sort of went quiet and we didn’t hear about it as much. There are numerous possible reasons for ransomware going quiet for some time. One popular thought is that these cybercriminals were further developing their malware code to become more effective. The introduction of Ransomware-as-a-Service (RaaS) has further complicated ransomware as cybercriminals buy “older” versions of this malware, “improve” upon it, and then blast it out to everyone. Ransomware is like a game of cat and mouse; cybercriminals create a version that is effective for a short amount of time, the information security world catches on and figures out how to either decrypt the ransomware and unlock the files and our anti-malware systems/email gateways/anti-virus programs identify the malware and mitigate the chances of it getting through to our systems.
Earlier this year, various Ransomware examples began to pop up, especially around the “Locky” ransomware variant, as well as others. There were some changes to the underlying code but nothing substantial according to security researchers. Now there is another new variant of the Locky ransomware that was identified over the past couple of days, and one that we need to be aware of and pay attention to.
This new version of Locky is called IKARUS or Locky Diablo 6 by some security firms. The challenge with this specific Ransomware example is that it evades your machine learning (your spam filters.) The email appears to come from a vendor that you work with and contains an attachment that looks to be a scanned document from a Konica Minolta C224e, which happens to be a very popular business class scanner/printer. So here you have a double whammy: It looks to come from someone legit and it looks to be a scan from a very popular business scanner/printer. The problem is that it is not legit and is a nightmare if you open the attachment.
So what do you do to mitigate your risk of an infection? The good news is that all the same rules apply for this Ransomware variant as they did to others:
- Disable Local Admin Privileges – This version of ransomware still requires an executable be run on the local machine. By disabling local admin privileges, users cannot run the executable and therefore cannot install the ransomware.
- Don’t Click on the Attachment (or Link) – If you get an email from a vendor that has an attachment, place a quick call to confirm it is legit. For this ransomware example, the subject line of the email is “Message from KM_C224e” and the body of the email is empty. That should be a glaring red flag not to open the attachment. There is a second variant of the email that contains the same ransomware with the subject line “Status of Invoice A2171771-07.” Note: It is not clear if the invoice number changes yet so be wary of any subject line that begins with “Status of Invoice….” Bottom line, don’t open the attachment unless you verify via phone that it is legit.
- Train and Test Your Employees – Your employees are the last line of defense and can either be your strongest defense mechanism or your weakest link. Train your employees on the latest threats and then test them through phishing campaigns and other social engineering assessments. Use the opportunities for positive growth and education to strengthen your defenses. Plus, isn’t it better if you test them versus a cybercriminal?
- Back Up Often Off the Network – Back up your files regularly, but conduct those backups offline or off the network. The last thing that you want to have happen is you go through the process of backing your files up, keep the backup on the network, and then you get hit with a Ransomware attack and both your working files and most recent backup are encrypted. Keep the backup off the network and should you suffer a successful attack, you can restore from backup and be back up and running quicker and cheaper than having to pay a ransom.
Be alert and remember, your best line of defense is your people. Ransomware will come and go and peak at times but if you have a solid training program in place and test your employees, your chances of suffering a successful attack drop dramatically! The challenge in this is getting started as it can appear to be a daunting task. The good news is that we can help you through all phases but the first phase is educating yourself on the threats and attacks which is why we have included a link to our webinar presentation that talks about what hacking is today versus in the past and what you can do to mitigate your risk. Click on the image below to download a copy and for extra credit, check out a recording of the webinar that we gave as part of our monthly educational webinar series. Till next time…
Webinar Recording Link: https://www.compassitc.com/september-2016-webinar-recording-thank-you
For more webinar recordings, check out our YouTube Channel: https://www.youtube.com/channel/UCccfSU7EGGTS76hz2i6qdrg/videos